Best Kept Security Secrets: How Assured Workloads accelerates security and compliance
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
Bryce Buffaloe
Senior Product Manager, CJIS Security Lead
Digital transformation is now a strategic imperative for organizations across every industry. For governments and regulated businesses, moving services to the cloud poses a unique set of challenges.
As a vital enabler of transformation, the cloud can unlock innovation and help keep pace with the accelerating pace of digital business. Unfortunately, many government agencies and firms in regulated industries don’t have the luxury of adopting new systems at will. They must deal with issues such as limited resources, lack of digital skills, and siloed operations. However, they also face cloud-specific challenges, including:
Data sovereignty: Regulated industries and the public sector often have concerns about the location of data, how it is protected, who else can access it, and whether it is stored in a secure location.
Compliance: Government agencies and regulated businesses must ensure that their data and cloud use are compliant with all applicable government requirements, privacy and data protection laws, and other regulations.
Security: Compliance is a natural component of any strong approach to security. As a result, government regulations and industry standards mandate a responsibility to secure and protect data from unauthorized access or use.
Cost: Every organization wants to ensure it’s getting good value for their money when using cloud computing, but especially government agencies that are more likely to be working with fixed budgets and fewer resources.
To address the unique requirements of governments and other highly regulated organizations, some cloud providers have built separate government clouds (“GovClouds”) that run in specialized, stand-alone data centers that make it easier to meet specific requirements around data residency, personnel controls, and other government standards. However, isolated GovCloud environments come with limitations: They can restrict the ability to integrate regulated data with data from other sources, they create siloed infrastructure that can slow down access to new features and technologies, and they usually require more resources to manage and maintain, which translates into higher costs for end-users of GovCloud services.
But what if you could get the features of a government cloud — the certifications and strict controls on data residency and personnel access — on a commercial cloud?
This is where Assured Workloads comes in. Assured Workloads is a unique Google Cloud service that allows governments and organizations from regulated industries to meet stringent compliance requirements at scale on commercial cloud infrastructure.
What is Assured Workloads?
Assured Workloads provides a set of security controls and guardrails you can apply to your cloud environments, making it easier to achieve compliance while maintaining the advantages of a full commercial cloud. It includes features like data residency controls for specific compliance types, data and personnel access controls, and real-time monitoring for compliance violations to ensure you implement and maintain the cloud controls required by your compliance regimes.
Assured Workloads can make it easier for agencies and businesses in regulated sectors to meet compliance requirements by providing:
A secure and compliant environment: With Assured Workloads, you can create controlled environments for your regulated workloads and automatically enforce data location and resource deployment. It’s designed for customers that need to meet strict security and compliance requirements, such as the government, healthcare, and financial services sectors.
Broad security capabilities: Assured Workloads provides comprehensive security for your regulated workloads. Data is encrypted at rest and in transit by default and includes additional features, such as encryption key management according to your compliance regime and Identity and Access Management (IAM) for authentication, authorization, and user access management.
Support for multiple compliance frameworks: Assured Workloads is designed to create regulated boundaries on public cloud infrastructure that support multiple compliance frameworks across sectors, including FedRAMP, IL5, PCI DSS, SOC 2, HIPAA, and HITRUST, allowing customers to segment and label their regulated data.
Control data residency: Assured Workloads gives you the ability to control the regions where data at rest is stored.
Assured support: Assured Workloads’ approach ensures only Google Cloud support personnel meeting specific geographical locations and personnel conditions support customers’ workloads.
Instead of having to configure, manage, and maintain the right controls and guardrails yourself, you select the regulatory framework you need to follow. Assured Workloads automatically configures and deploys the controls needed to help meet your requirements.
With these specific capabilities, governments can simplify compliance configurations and monitor for violations without missing out on Google Cloud’s innovative technologies, scalability, performance, reliability, and cost savings that are hallmarks of our commercial Cloud offering.
How it works
When you use Assured Workloads to create controlled environments in Google Cloud, you will be required to set up an Assured Workloads folder. This folder acts as the regulatory boundary to help enforce your chosen compliance framework. They are created with preconfigured platform controls, which are packaged based on the specified regulated data type, personnel controls, and data location.
Assured Workloads automatically restricts developers to using products and services that are in-scope for your selected compliance framework. Security controls are mapped to Assured Workloads folders, so any Google Cloud resources you deploy in an Assured Workloads folder inherit the same controls. This also helps ensure that only Google Cloud personnel who meet your compliance requirements have the ability to support your resources and prevents resources from being deployed outside of compliant regions.
Depending on your compliance regime, Assured Workloads supports several different options for encryption. You can use any Google key management service unless your compliance requirements mandate otherwise, including Cloud Key Management Service, Cloud External Key Manager, or customer-managed encryption keys (CMEK). You can also choose Google-managed keys, which provide on-by-default FIPS-validated encryption.
Here are a few common use cases that companies are already accomplishing with Assured Workloads:
However, Assured Workloads is more than a better government cloud or a tool for highly regulated businesses. Assured Workloads is a packaged solution that provides security by default and removes toil and complexity for users. Users can reduce the time and effort required to meet their compliance requirements and also improve the security of their data.
Do I need Assured Workloads?
We believe that cloud adoption for governments, government suppliers and contractors, and other strictly regulated businesses shouldn’t have to happen in a separate, isolated cloud environment that forces tradeoffs in terms of service availability, scale, and cost. Assured Workloads is a new approach to running regulated workloads that transforms the “govcloud” into a capability that cuts down on the friction of compliance without sacrificing any of the cloud-y goodness.
To learn more about Assured Workloads, please review these resources:
Request a free trial today and experience how Aside.Assured Workloads helps you achieve compliance-based outcomes.
